Gawker Password Theft a Wake-Up Call

Analysis: Underestimating your own vulnerability is a recipe for disaster.

Well, my holiday plans saw a new item move to the top of the
to-do List. I found myself with the pleasant task of sweeping through
my
password collection, because I was lazy and Gawker Media was sloppy.
It's a
lesson for anyone whose livelihood depends on secure systems remaining
that
way.
The big story was that over the weekend of Dec. 11-12,
Gawker admitted in a post on its various sites- which include Deadspin,
Fleshbot, Gizmodo, io9, Jalopnik, Jezebel, Kotaku and Lifehacker, as well as
Gawker itself-that its central password database had been compromised. It
seems that the Gawker IT organization had used the long-obsolete DES to encrypt
the password store, had ignored at least a month's worth of warnings that something
fishy was going on, and had let its production servers get about three years
behind on kernel patches. In short, the company's IT crew had utterly failed at its job.

This would amount to dereliction of duty in any IT
organization with pretenses to credibility. But since the editors of the main
Gawker site have in effect dared anti-organizations such as Anonymous and 4chan
to come after it, one has to compare the behavior of Gawker Media's editorial
and IT staff to the kind of idiot who climbs into the lion pen at the zoo and
is surprised by the extent of the resulting injuries. As of the afternoon of
Dec. 13, the company seemed to be placing as much of the responsibility on
those users who chose weak passwords-which included Gawker founder Nick
Denton's "24682468," or "password," used by almost 2,000 accounts-as it did on
its IT staff, who created the conditions that were so easily exploited.

Of course, I failed as well. As do many people, I have a few
medium-strength passwords that I use on more than one site. "Easy to remember,
hard to guess" describes these, and they'll hold up against a dictionary
attack, although I reckon that anyone who really wanted to crack them would do
so, probably sooner rather than later. Although I should know better, I made
the mistake of changing my Gawker password to one of my garden-variety
passwords during one of the site's occasional authentication hiccups earlier
this year. I'd meant to get around to resetting it to something fairly obscure,
but didn't.
Now, I'm paying for my laziness by going through three or
four devices, trying to figure out where I might have used the ID and password
combination that was in the Gawker database. A group calling itself Gnosis is
claiming responsibility for the theft of the Gawker Media password database,
and reports indicated that by midday of Dec. 12, almost 200,000 user IDs
and passwords had been cracked and posted in a torrent for the entire world to
see.
The only thing I can claim to have done right is to use more
than one ID for my personal business, and to keep my business e-mail traffic
separate from my personal e-mail. Although I'm going to be extra careful about
my identities and passwords for a long while, I don't feel like much of a
chump. After all, I'm not the Gawker employee who encrypted the passwords using
an insecure method, I'm not the Gawker IT manager who blew off three years'
worth of kernel patches, and I'm not the Gawker leaders who dared the Internet
to hack away. Those are the people who look like chumps.

P. J. Connolly began writing for IT publications in 1997 and has a lengthy track record in both news and reviews. Since then, he's built two test labs from scratch and earned a reputation as the nicest skeptic you'll ever meet. Before taking up journalism, P. J. was an IT manager and consultant in San Francisco with a knack for networking the Apple Macintosh, and his love for technology is exceeded only by his contempt for the flavor of the month. Speaking of which, you can follow P. J. on Twitter at pjc415, or drop him an email at pjc@eweek.com.